[00:01.260 --> 00:05.340]  Hey, everyone. My name is Eric Escobar, and today my talk is going to be on detecting the unseen
[00:05.340 --> 00:10.380]  adversary, which is really just wireless blue teaming with a snappy sounding name to it.
[00:11.020 --> 00:15.180]  So, this talk is going to be a one-cut take. There's going to be a lot of ums, a lot of uhs,
[00:15.300 --> 00:19.480]  a lot of me fumbling with my mouse trying to transition a slide. So, this is going to be
[00:19.480 --> 00:23.640]  just as if I were up on stage and the demo gods are just going to be as much of a problem.
[00:24.020 --> 00:30.540]  So, without further ado, let's talk about me. So, I like to kind of pose the point that I'm
[00:30.540 --> 00:35.360]  forever noob. The best thing about computers and computer security is that no one is ever going to
[00:35.360 --> 00:40.640]  know everything, and the person that says that they do is just completely lying. I started off
[00:40.640 --> 00:45.720]  my professional career as a civil engineer. You know, I got my degrees in civil engineering to
[00:45.720 --> 00:50.560]  build bridges, dams, and all these big things that you see out on the highway. I got the opportunity
[00:50.560 --> 00:56.400]  to basically be an analyst at a company. I got a great opportunity there, and we started coming
[00:56.400 --> 01:01.680]  to DEF CON for, I believe, DEF CON 22. And from there, I was competing in the wireless capture
[01:01.680 --> 01:07.820]  the flags. We won a couple of times, and now I'm one of the village members. And yeah, I get to
[01:07.820 --> 01:13.260]  help make the challenges. And my full-time job now is as a pen tester for SecureWorks, where I
[01:13.260 --> 01:19.780]  basically just pen test wireless all day. And this talk is really one of these talks of, you know,
[01:19.780 --> 01:25.040]  stuff that isn't crazy super hackery, stuff that isn't completely unobtainable. It's a lot of
[01:25.040 --> 01:30.520]  simple tactics that I used to get into a lot of really large companies. And really, this talk
[01:30.520 --> 01:34.420]  kind of stems from the fact that these are conversations that I have with my clients
[01:34.420 --> 01:39.020]  day in and day out. And it'd be really nice to point people in the direction of kind of, like,
[01:39.020 --> 01:45.660]  my overall summary of this stuff. Okay, so detecting the unseen adversary. It's like a
[01:45.660 --> 01:51.200]  super markety title that I'm not in love with, obviously. But whatever, I needed a tagline.
[01:51.960 --> 01:55.900]  So one of the things that I've discovered just doing wireless pen tests is that a lot of my
[01:55.900 --> 02:00.040]  clients have robust logging and alerts for all of their internal network security and all their
[02:00.040 --> 02:04.520]  external network security. When I say external, I'm talking about, like, the public internet. So
[02:04.520 --> 02:08.960]  they have firewalls that detect when scans get run. You know, they can detect somebody doing
[02:08.960 --> 02:13.960]  some nefarious stuff on their internal environment. But they almost all fall down when it comes to
[02:13.960 --> 02:19.700]  detecting anything on their enterprise wireless. So any, you know, WIDs or WIPs, which is wireless
[02:19.700 --> 02:26.520]  intrusion prevention or intrusion detection, it's basically, you know, back into the 90s. You
[02:26.520 --> 02:31.340]  know, there are not a lot of companies that do it. And if they do anything regarding it, it's not
[02:32.060 --> 02:38.220]  really that robust and can get knocked over pretty easily. So some of the benefits of wireless
[02:38.220 --> 02:43.540]  attacks. I don't have to have any internal access to any network, to any environment. You don't have
[02:43.540 --> 02:47.640]  to sneak in anywhere. I don't have to clone keys, badges, or do any of this. I can typically just
[02:47.640 --> 02:54.200]  post up in a park with a, you know, with a long range antenna or, you know, sit in some kind of
[02:54.200 --> 02:59.080]  lobby or common area. And, you know, I don't need any special access like I would if I were going to
[02:59.080 --> 03:03.600]  try and plug in a device. It's way easier for me to stay anonymous and I can stay out of sight.
[03:03.600 --> 03:07.920]  And then especially if I'm attacking somebody's external infrastructure, there's really not any
[03:07.920 --> 03:12.160]  IP addresses that are going to be logged or anything along those lines that are going to
[03:12.160 --> 03:16.880]  get me caught or at least create a footprint. So that's a lot of the reasons why I like, you know,
[03:16.880 --> 03:21.340]  doing wireless from that kind of standpoint. This is kind of an old image, but this kind of
[03:21.340 --> 03:27.160]  goes back to my old kit of what I, you know, what was founded out of competing the wireless ETF.
[03:27.520 --> 03:33.100]  Basically, it's just comprised of a little lithium or a little LiPo battery. Is that LiPo? No, it's a
[03:33.100 --> 03:38.040]  whatever, just a little anchor battery connected to Raspberry Pi and the Raspberry Pi has a USB,
[03:38.040 --> 03:42.660]  you know, wireless adapter that I can put into monitor mode. That's an old TP-Link
[03:42.660 --> 03:47.240]  network adapter. It's, you know, old compared to today's standards. You know, now I use something
[03:47.240 --> 03:52.720]  like a Panda that can do 2.4 and 5 gigahertz frequencies. But at the end of the day, that can
[03:52.720 --> 03:57.460]  easily just fit in my pocket, fit in a backpack, and I can then use my phone to connect into that
[03:57.460 --> 04:05.180]  Raspberry Pi and simply have, you know, an AirMon screen or any of my normal tools that run off of,
[04:05.180 --> 04:08.820]  you know, whatever flavor of operating system that you want on that Raspberry Pi.
[04:08.820 --> 04:12.900]  And I can sit there with this device in my pocket, pen testing your network, you know,
[04:12.900 --> 04:17.500]  just sitting like, you know, any other college student just, you know, leaned up against a wall,
[04:17.500 --> 04:20.780]  you know, that wouldn't attract a ton of attention. I'm not going to be like,
[04:20.780 --> 04:25.400]  you know, some of the wireless CTF, you know, members or competitors that walk around with,
[04:25.400 --> 04:28.420]  like, a laptop in the face, you know, with all these antennas and porcupine, you know,
[04:28.420 --> 04:31.940]  stuff all over. I'm not going to be the Wi-Fi cactus or anything like that. I want to come
[04:31.940 --> 04:37.600]  and try and pen test your site. And this is just a screenshot of my iPhone. And, you know, just some
[04:37.600 --> 04:41.180]  things that I can see out of a glance. And again, if you just see somebody walking with their cell
[04:41.180 --> 04:46.580]  phone, you're not going to think anything of it, right? And then this is something that we've taken
[04:46.580 --> 04:51.660]  on engagements where we've, you know, gone on to a large, large site that we have to walk around.
[04:51.700 --> 04:55.540]  And really, this is just the black backpack. You know, you'd have to look a little bit harder to
[04:55.540 --> 05:00.520]  see that there are actually a bunch of omnidirectional antennas, along with, you know,
[05:00.680 --> 05:06.280]  a bunch of just different network adapters all put into this backpack. And it's one of those
[05:06.280 --> 05:09.380]  things that if you're not looking for it, you know, these antennas could easily be placed inside
[05:09.380 --> 05:14.200]  of the backpack. But at the end of the day, we've been able to do engagements that cover thousands
[05:14.200 --> 05:21.460]  of acres worth of, you know, worth of a client site. And, you know, there was full-on, you know,
[05:21.460 --> 05:27.340]  public people there. There were, you know, staff there. There were security people there. And no
[05:27.340 --> 05:31.400]  one saw us. We didn't stick out at all, just because we're normal people with normal backpacks.
[05:31.680 --> 05:36.040]  And again, it's one of those things that it's easy to remain unseen and still do nefarious things.
[05:36.640 --> 05:40.640]  Here's another clip of the backpack. Basically, it's just some larger anchor batteries
[05:40.640 --> 05:46.520]  hooked into multiple Raspberry Pis. And again, you can see on the right-hand side,
[05:46.920 --> 05:51.760]  a bunch of omnidirectional antennas that are kind of just placed, you know, in a not necessarily
[05:51.760 --> 05:57.900]  covert, but in a way that you'd have to really look at that to know what's going on.
[05:59.580 --> 06:04.020]  So I think one of the biggest things, the biggest fly on the wall here is rogue access points.
[06:04.020 --> 06:09.200]  At least I shouldn't say everybody. A large amount of my clients are all very concerned
[06:09.200 --> 06:15.440]  of the rogue access points, but they really don't have any idea what they say or what they mean when
[06:15.440 --> 06:20.360]  they talk about rogue access points. And really, by definition, a rogue access point is just any
[06:20.360 --> 06:25.440]  wireless access point that's not within your control that, you know, that's in your airspace,
[06:25.440 --> 06:29.280]  you know, your physical airspace that you do control where your access points might be.
[06:29.500 --> 06:33.040]  So I mean, really, at the end of the day, technically any phone or any hotspot could
[06:33.040 --> 06:36.560]  be a rogue access point or could be considered a rogue access point. But that's not really what
[06:36.560 --> 06:41.240]  clients most care about. They most care about access points that are designed to mimic their
[06:41.240 --> 06:46.340]  own access points that then their users will connect to and get tricked into, you know,
[06:46.340 --> 06:50.300]  potentially providing credentials or some other type of data that they shouldn't, right?
[06:51.160 --> 06:54.620]  So I'll just give you a couple access points of what a rogue access point can do.
[06:54.820 --> 06:57.180]  There's this tool that I use from time to time called
[06:58.160 --> 07:03.200]  Wi-Fi Fisher. And essentially, all that it does is it just stands up, you know, a hotspot with
[07:03.200 --> 07:07.800]  whatever name I want to give it. And it will kick off users by de-authenticating them from
[07:07.800 --> 07:12.780]  their current network with the goal of having them connect to my rogue access point. And when
[07:12.780 --> 07:17.560]  they connect to my rogue access point, I send them to a captive portal. And the captive portal looks
[07:17.560 --> 07:22.200]  like a, you know, just a simple... it takes their user agent. So if they're coming from an iPhone,
[07:22.200 --> 07:27.160]  this would be like the iPhone Wi-Fi screen. This example is coming from a, you know,
[07:27.160 --> 07:31.700]  Windows 10 laptop. So when they open up their browser, it looks like, oh man, I need to type
[07:31.700 --> 07:36.740]  in my wireless network key. What most users don't realize, and most users, you know, aren't security
[07:36.740 --> 07:40.700]  people or tech wizards that are really going to, you know, analyze this. But if you have a full
[07:40.700 --> 07:47.460]  screen browser window open, you'll notice that that's all just rendered in the browser. That,
[07:47.460 --> 07:51.700]  you know, what's asking for your key. Now, if a user types in their key and hits next,
[07:51.700 --> 07:55.980]  that will then submit it to me in clear text because I run that web server. That's my rogue
[07:55.980 --> 08:00.040]  access point. And then it's configured in such a way that the second that they give me a valid
[08:00.040 --> 08:03.780]  credential, it will then shut down my rogue access point. So that means an attacker can just
[08:03.780 --> 08:08.080]  automatically just say, hey, okay, like I'm going to be quiet now. I'm not going to try and draw any
[08:08.080 --> 08:12.260]  more attention to myself. And it's one of those things that like, is this a crazy, super sophisticated
[08:12.260 --> 08:15.860]  hacker technique? Absolutely not. Are people in the wireless village going to make fun of me for
[08:15.860 --> 08:20.880]  even probably talking about this? Sure. But at the end of the day, this has gotten me so many
[08:20.880 --> 08:24.720]  credentials that it's kind of sad. And this has, you know, been the downfall of so many corporate
[08:24.720 --> 08:31.480]  networks that it's definitely worth mentioning because people use it and it works as an attack
[08:31.480 --> 08:34.960]  vector and people are tricked by it. Because at the end of the day, if you're watching this,
[08:34.960 --> 08:38.040]  you're probably a security minded person and you would probably say, oh, man, there's no way that
[08:38.040 --> 08:44.420]  I would fall for it. But, you know, take a step back and think of everybody in your organization
[08:44.420 --> 08:49.340]  that, you know, that deals with Wi-Fi, that deals with, you know, just any device that's connected
[08:49.340 --> 08:54.080]  to the internet, would they fall for it? Well, at the end of the day, I just need a single person
[08:54.080 --> 08:59.480]  to fall for it and that's it. I just need one person to fall for it. And then I have your, you
[08:59.480 --> 09:05.560]  know, in this case, it's a, you know, pre-shared key. So WPA2 PSK network. But there are other
[09:05.560 --> 09:12.800]  attacks such as ePammer that, you know, they can mimic a corporate internet, you know, that's
[09:12.800 --> 09:17.280]  WPA2 Enterprise where a user would type in their credentials and then I could get hash credentials,
[09:17.280 --> 09:21.940]  clear text credentials if there's, you know, GTC downgrade. But really at the end of the day,
[09:21.940 --> 09:27.160]  this all surrounds, you know, rogue access points and somebody standing up an access point that
[09:27.160 --> 09:31.940]  mimics your own and being able to detect that it's happening. Because at the end of the day,
[09:31.940 --> 09:36.740]  I'd say that that fewer than 10% of our clients even know when we stand up a rogue access point
[09:36.740 --> 09:39.740]  that they're even looking for it. And even if they're looking for it, they may not even get
[09:39.740 --> 09:43.560]  the alerts. I've had plenty of clients that have said like, oh yeah, we have rogue access point
[09:43.560 --> 09:47.480]  detection. And, you know, after the pen test, we went back and looked at our logs and we got all
[09:47.480 --> 09:52.080]  these alerts, but, you know, they were never configured to go anywhere. They were never,
[09:52.080 --> 09:57.080]  you know, configured to get acted upon really is the best case for that. I mean, again,
[09:57.080 --> 10:01.440]  it seems super silly that this is all that my attack vector is a standard rogue access point
[10:01.440 --> 10:07.140]  and hoping to fish some credentials. But at the end of the day, it works. And just the fact that
[10:07.140 --> 10:12.020]  it works is scary enough because it's a really old style kind of attack really.
[10:13.560 --> 10:16.760]  So rogue access points, like I was talking about, they can lead to stolen credentials if you're
[10:16.760 --> 10:23.220]  using say E-Pammer to get WPA2 enterprise credentials, or in the case of Wi-Fi Fisher,
[10:23.220 --> 10:28.000]  you can use that for PSK. So just, you know, shared network key like you probably have at home,
[10:28.500 --> 10:32.560]  you know, and that can lead then to a full internal network compromise. So it can lead
[10:32.560 --> 10:40.380]  to compromised workstations. They can also basically lead to data being exfiltrated,
[10:40.380 --> 10:45.640]  right? So if an end user connects to my access point, I can exfiltrate data off that system
[10:45.640 --> 10:49.820]  without it going through any of the normal controls or processes that it normally would.
[10:50.300 --> 10:54.780]  And then it can also allow users to circumvent corporate policies. So a lot of time that,
[10:54.780 --> 11:01.520]  say your corporation blocks Netflix or Facebook or something, end users might connect their laptop
[11:01.520 --> 11:05.860]  or their mobile device that's work provided, they might connect it to another rogue access point
[11:05.860 --> 11:10.600]  in hopes that they can circumvent that and that they can watch Netflix, that they can do
[11:10.600 --> 11:16.480]  any other basically types of activities that would probably be blocked on any other network.
[11:16.520 --> 11:20.660]  So it's one of those things that end users, you know, may not always get tricked. They might
[11:20.660 --> 11:25.240]  willingly connect to other access points to get to, you know, whatever stuff that they want to
[11:25.240 --> 11:31.800]  that's being blocked by corporate policies. And so this is one of these matrices that
[11:32.240 --> 11:35.900]  I kind of like to reference and use. It might seem a little bit dense,
[11:35.900 --> 11:39.940]  but really at the end of the day, rogue access points are kind of summed up in this way. So
[11:39.940 --> 11:46.680]  the easiest rogue access point for a corporation to detect is an exact match of whatever the SSID
[11:46.680 --> 11:52.440]  is. And SSID is just their wireless name. So say that's like, you know, Home Network 123.
[11:52.440 --> 11:57.700]  So you would see then a second Home Network 123 with a MAC address of 0012, you know,
[11:57.700 --> 12:02.380]  all the way through 55. That would be the easiest to detect because that is completely different,
[12:02.380 --> 12:07.240]  you know, than your normal, whatever your normal MAC address would be. And that's just a hardware
[12:07.240 --> 12:14.200]  address that is associated with that wireless radio. The next hardest would be then basically
[12:14.200 --> 12:18.900]  that exact same SSID with just some random characters that, you know, just randomly
[12:18.900 --> 12:24.140]  generated MAC address hardware address. Then as you kind of like go down that difficulty scale
[12:24.140 --> 12:27.820]  or up the difficulty scale, you're going to see it's going to be an exact match of that, you know,
[12:27.820 --> 12:33.980]  SSID with then a MAC address that's similar to the MAC addresses of the access points that you run.
[12:33.980 --> 12:38.280]  That might be harder for some, you know, for some intrusion prevention detection software
[12:38.280 --> 12:44.740]  to detect is something that's similar to what would be expected. And then if you're talking
[12:44.740 --> 12:51.120]  about a larger client, say I go to, you know, say it's a bank, right? A bank will have multiple
[12:51.120 --> 12:55.900]  branches. Say I went to one bank and copied a MAC address from that site and took it to another
[12:55.900 --> 13:00.920]  branch, you know, in the same town or, you know, same vicinity where wirelessly they won't touch,
[13:00.920 --> 13:04.580]  but that MAC address is at least valid on the network, right?
[13:04.620 --> 13:08.680]  And I stand that up as an access point. Well, now the intrusion prevention detection system
[13:08.680 --> 13:12.540]  is not going to detect me because it is technically somewhere in the system.
[13:12.540 --> 13:16.620]  The controller will just not have any idea of the geography behind that. And so that's
[13:16.620 --> 13:21.340]  makes it harder to detect, you know, and then you keep going. And then now you can make,
[13:21.340 --> 13:29.000]  say your SSID is just similar, but not an exact match to what that Wi-Fi would be with, again,
[13:29.000 --> 13:33.760]  random MAC addresses and then, you know, similar and then going down that same spectrum.
[13:33.800 --> 13:37.300]  At the end of the day, this is just something that an attacker can use and kind of see like,
[13:37.300 --> 13:41.880]  okay, well, you know, what level of sophistication does your monitoring hardware,
[13:42.520 --> 13:49.220]  you know, and detection system, what does that look like? Because for example here, say you were
[13:49.220 --> 13:56.080]  looking for an SSID that matched exactly and it was cloned from a MAC address of the same site.
[13:56.080 --> 14:00.260]  Well, what happens if there's some weird reflection or attenuation there that makes
[14:00.260 --> 14:04.920]  your wireless signals bounce from place to place? Well, if you're doing detection on a
[14:04.920 --> 14:09.640]  MAC address seen by different access point, now all of a sudden that gets a lot harder and a lot
[14:09.640 --> 14:13.980]  more complicated of a thing to program. And it's probably going to generate a lot of false positives.
[14:13.980 --> 14:18.000]  So it's one of these things that at the end of the day, it's easy to say, oh man, we need,
[14:18.000 --> 14:22.480]  you know, rogue access point detection or rogue access point detection really is an entire,
[14:22.480 --> 14:26.960]  you know, suite of what is an attacker doing. And so it's really important just to kind of
[14:26.960 --> 14:32.980]  break down that nuance and see that, you know, some clients might see an exact match of 0, 1,
[14:32.980 --> 14:38.820]  1, 2, 2, 3, 3, 4, 4, 5, or maybe even random, but similar to known access points or clone from
[14:39.180 --> 14:42.600]  a different site or the same site. That's typically not going to get picked up. And it
[14:42.600 --> 14:46.560]  allows an attacker like myself, who's already, you know, attacking wirelessly and is not going
[14:46.560 --> 14:53.600]  to be seen. It allows me to basically not trigger any logs or trigger any detection, which again,
[14:53.600 --> 14:56.780]  you know, is there some software that can detect that? Absolutely. How many clients
[14:56.780 --> 15:02.960]  actually run it? Not a lot. Again, I probably been detected less than 5, 10% of the time,
[15:02.960 --> 15:07.640]  which is kind of surprising. And this kind of brings me into simple is not the same thing as
[15:07.640 --> 15:12.940]  easy, right? Like all of these things that I've talked about, they're simple to understand,
[15:12.940 --> 15:17.520]  but they may not be that easy to configure, right? And that's an important distinction
[15:18.000 --> 15:24.400]  because just looking for excessive password spraying, you know, watching for devices that
[15:24.400 --> 15:29.660]  continually try credentials over and over and over and over again. There's been a number of
[15:29.660 --> 15:36.060]  sites where I basically just sprayed an access point with user credentials that I got off LinkedIn
[15:36.620 --> 15:41.060]  with the attempt of trying to authenticate to their access point. And eventually it worked.
[15:41.060 --> 15:46.380]  It took a long time. I spent all night trying to, you know, associate with credentials until
[15:46.580 --> 15:50.820]  a pair of them worked. But at the end of the day, that's all that it took. And if somebody
[15:50.820 --> 15:55.860]  was watching their logs, they would have seen, wow, 10,000 attempts. That seems a bit strange.
[15:56.100 --> 16:00.440]  But again, a lot of people don't look at their logs. And is that a simple thing for me to say?
[16:00.440 --> 16:06.260]  Yeah, absolutely. Is it easy? Definitely not. And then same thing, get alerts from
[16:06.260 --> 16:11.140]  rogue access points. A bunch of my clients will have, you know, software or some type of
[16:11.140 --> 16:16.960]  controller available to them that will actually look for rogue access points. I mean, at home,
[16:16.960 --> 16:22.060]  I run Ubiquity. And it will, you know, if I check that box, it will determine, you know, hey,
[16:22.060 --> 16:25.860]  there's a rogue access point detected. I'm going to send you a push notification to your phone.
[16:26.340 --> 16:31.260]  There's a lot of end users, a lot of clients, a lot of corporations out there that don't even
[16:31.260 --> 16:35.280]  have that box checked. And even though their controller, even though whatever software they
[16:35.860 --> 16:39.900]  is capable of seeing it, they don't even check the box. So, they'll never even get that
[16:39.900 --> 16:45.540]  notification, even though their software, their controller, whatever it may be, has that, you know,
[16:45.540 --> 16:52.120]  out of the box as an option. And then have a plan to what to do when you do detect a rogue access
[16:52.120 --> 16:57.300]  point. That's one of those things that's like, cool, you detect a rogue access point. Now what?
[16:57.300 --> 17:01.880]  You know, depending on the size of your site, that might be just, you know, taking a walk around the
[17:01.880 --> 17:08.080]  office, or it might be trying to take a walk around a multi-acre, you know, area or an entire
[17:08.080 --> 17:14.600]  campus or an entire outdoor place or an entire sporting arena. And so, it's one of those things
[17:14.600 --> 17:17.940]  that, you know, you have to plan to the scale of your corporation, your company, your organization,
[17:17.940 --> 17:22.540]  whatever it may be, is to, you know, how are you going to locate these? Is your controller software,
[17:22.540 --> 17:27.640]  is it capable of saying, you know, this was seen from this access point or from this location?
[17:27.680 --> 17:30.180]  Or is that something you're going to have to deploy? Is there going to have to be somebody
[17:30.180 --> 17:35.740]  trained in that? A lot of times, it's not enough just to detect them. You have to locate them to
[17:35.740 --> 17:40.500]  see, you know, is this somebody that was doing this nefariously? Or is it, you know, some error
[17:40.500 --> 17:44.640]  in the system? Being able to distinguish that and being able to have a game plan for when that
[17:44.640 --> 17:50.580]  happens will make it less of a panic situation, right? And a lot of that is having a wireless
[17:50.580 --> 17:54.880]  pen test, right? Like, knowing where your weaknesses lie before you actually have to,
[17:54.880 --> 18:00.340]  you know, rely on your logs and rely on your locating, relying on pretty much everything,
[18:00.340 --> 18:06.480]  right? Really, log your data. It's one of those things, it's simple. It's not easy,
[18:06.480 --> 18:10.380]  like, to log your data and look at your logs. Because a lot of the times when I'm doing
[18:10.380 --> 18:16.020]  something, when I'm pen testing, all that data is probably logged somewhere or at least can be
[18:16.020 --> 18:21.560]  enabled or there's some logging software or, you know, something available to you. But people don't
[18:21.560 --> 18:27.300]  look at their logs. You know, sysadmins have a busy job and typically don't look at their logs
[18:27.300 --> 18:32.480]  or really investigate that stuff. Or there may not even be a person dedicated to just wireless.
[18:32.480 --> 18:36.320]  It might just be the network security team and they don't even bother to ingest, you know,
[18:36.320 --> 18:41.820]  their wireless logs that are being generated. So, again, all these things, they're really simple.
[18:41.820 --> 18:47.140]  I feel a little bit sheepish giving a talk about how simple these things are. But each and every
[18:47.140 --> 18:52.400]  one of these things, you know, I haven't been done when I've been on a pen test at times and
[18:52.400 --> 18:58.080]  it's allowed me to compromise a full entire organization, you know, because any number of
[18:58.080 --> 19:02.820]  these, you know, or combination of these weren't done. And again, they're simple, but they're not
[19:02.820 --> 19:09.180]  easy to enact. It's just one of those things. Again, these are simple ways that somebody can
[19:09.180 --> 19:16.160]  get in that typically aren't covered. Now, okay. So, like, kind of switching gears. There's a bunch
[19:16.160 --> 19:20.400]  of other information that wireless devices emit. And there's far more than this, but I just kind of
[19:20.400 --> 19:25.880]  want to give out the basics of it. But really, devices, you know, they can allow users to be
[19:25.880 --> 19:29.920]  tracked. You can identify the type of device. You can see what devices are connected to what
[19:29.920 --> 19:34.920]  networks. Just using a tool like AeroDump, which, again, is a super old tool, but still works great.
[19:35.140 --> 19:38.300]  You can, you know, take a look at this screen. And if you're not familiar with the screen,
[19:38.300 --> 19:42.920]  then, oh, well, I'll kind of explain it right now. So, if you look at the top left corner,
[19:42.920 --> 19:47.880]  there's BSSID, and that is basically, you know, the access point hardware address.
[19:48.320 --> 19:53.800]  And then, down below, you see the access point and then devices connected to that access point.
[19:53.860 --> 19:57.980]  And if you just take a quick look, you can see power levels will kind of associate roughly with,
[19:57.980 --> 20:01.660]  you know, distance away from that access point. The power level is what you'd be looking at.
[20:01.700 --> 20:05.040]  And then, if you can see devices that are connected to that access point, well,
[20:05.040 --> 20:10.600]  MAC addresses are basically handed out, or at least ranges of them are handed out to hardware
[20:10.600 --> 20:15.360]  manufacturers, and they can be identified by just a couple of octets. And so, if you were to plug
[20:15.360 --> 20:22.140]  in... so, if you... I'll switch back. If you look at this, you'll see that, basically, you know,
[20:22.140 --> 20:28.340]  that 18B430, if you were to plug that into Google, what that gets you is that it says,
[20:28.340 --> 20:32.040]  oh, that's Nest. And so, from that, I can say, okay, well, maybe they have a Nest camera on
[20:32.040 --> 20:36.900]  this network. You know, should I look for Nest cameras? You know, maybe there is a Nest thermostat,
[20:36.900 --> 20:42.260]  and you can basically, as an attacker, I don't need to know what your username, your password is.
[20:42.260 --> 20:47.900]  I don't need to know, you know, really anything else about your company, organization, or wireless
[20:47.900 --> 20:51.420]  networks, because I can see all of that in the clear. I can see, you know, what at least types
[20:51.420 --> 20:56.240]  of devices are connected. And so, really, it's one of these things. I know I'm going to keep saying
[20:56.240 --> 21:03.120]  it over and over and over and over, but it's simple to detect somebody like me on your network,
[21:03.120 --> 21:07.280]  but it's typically not easy. And really, I just kind of want this to be one of those
[21:07.280 --> 21:12.340]  wake-up calls that, you know, if you are a sysadmin, if you do control wireless networks,
[21:12.340 --> 21:18.080]  to kind of take a look at the security policies, the monitoring capability that you have,
[21:18.460 --> 21:22.680]  because at the end of the day, you don't want to be scrambling if you do detect something,
[21:22.680 --> 21:27.920]  or if you do detect a breach or some weirdness. And again, I think just going back to this last
[21:27.920 --> 21:34.180]  slide and showing, you know, check for password spraying, you know, check for any rogue access
[21:34.180 --> 21:38.180]  points that are in your area, have a plan on how to locate them, you know, understand what data
[21:38.180 --> 21:44.240]  somebody like me can see, you know, know how far your access points, you know, broadcast,
[21:44.240 --> 21:47.740]  you know, log the data that you do collect, that you have the capability of collecting,
[21:47.740 --> 21:51.320]  and then look at them from time to time and notice if there's anything strange or weird,
[21:51.320 --> 21:56.960]  and then maybe build some policies out to alert you if anything funky does look like it's happening.
[21:57.960 --> 22:04.720]  Again, I think this is all simple. It's not easy always to configure. So, hopefully that was
[22:04.720 --> 22:09.740]  helpful. I will be around in the Wireless Village if anybody wants to send me questions, and maybe
[22:09.740 --> 22:14.880]  I'll add some contact information to this on the page after it gets posted. But again, I hope it's
[22:14.880 --> 22:20.900]  helpful. I know this may seem like a super one-on-one, easy mode talk, but each and every
[22:20.900 --> 22:25.360]  one of these aspects is something that, you know, one of my clients has potentially not done
[22:25.360 --> 22:29.880]  that has led me to compromise their organization. And if everybody looked at this and kind of had
[22:29.880 --> 22:33.780]  this in the back of their mind, if you're a sysadmin that controls networks, or maybe you're
[22:33.780 --> 22:37.420]  not even a sysadmin that controls your wireless networks, but you could bring this to them,
[22:37.420 --> 22:42.260]  it would go pretty darn far. Because at the end of the day, everybody has logging in place for
[22:42.260 --> 22:46.860]  their external network infrastructure and for their internal network infrastructure.
[22:47.100 --> 22:52.900]  But wireless, for some reason, is the extension of your, you know, of your internal network
[22:52.900 --> 22:58.020]  beyond your walls, potentially. And it can let somebody like me, or somebody worse than me,
[22:58.020 --> 23:03.240]  somebody who actually is trying to do some harm to your network, in, and you won't even see them.
[23:03.240 --> 23:08.100]  You won't even know that they're there. They will be, you know, for your eyes unseen. Again,
[23:08.100 --> 23:12.180]  hopefully it's helpful. I know this may seem like kind of like a one-on-one-ish talk, but
[23:13.160 --> 23:16.180]  it might be something that you need to hear. So, take it for what it's worth. And if you
[23:16.180 --> 23:20.160]  have any questions, feel free to contact me and I'll be in Discord. All right, talk to you guys
[23:20.160 --> 23:20.520]  later.
[23:20.860 --> 23:21.220]  Transcribed by https://otter.ai
